I am assigned an owner role in my Employer's Azure subscription. He was able to create resource groups, but I can't. We're both wondering why since I was already assigned as Owner, the highest role aside from subscription level.
When I try the az group create --name myGroup -l southeastasia command, its response is
The client 'live.com#<myAccount>#outlook.com' with object id '<object ID>'
does not have authorization to perform action 'Microsoft.Resources/subscriptions/
resourcegroups/write' over scope '/subscriptions/<subscription>/resourcegroups/<myGroup>'.
Edit: I have no subscription level resources
Do you have multiple subscriptions in your tenant? If yes, you should set it.
##list subscription
az account list --output table
##change the active subscription
az account set --subscription "My Demos"
If you only have a subscription, I suggest you could create a sp, then use the sp to create a new resource group. See this link.
Update:
You should give Owner role on subscription level, according to your screenshot, you give Owner role on resource group role, you only create resources in the resource group. You also could not create new resource group. You should give Owner role to your subscription,like below:
Note: This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
For root cause and quick resolution, refer "Common problem when using Azure resource groups & RBAC".
Well, the error clearly says you dont have rights over the scope, so you are either owner of the wrong sub or you have a role that specifically restricts that.
Related
there is use-case I am looking for solution. Assume I am assigning RBAC - Owner role to user(xxx) at subscription level. But now I need to exclude this permission to one of the resource group under this Subscription. Is that feasible?
No. Azure RBAC permissions cannot be removed like that.
Owner at subscription level means Owner on all resource groups and resources under it.
You need to assign the roles at resource group level if you want to restrict them there.
The other option is to separate the resources to a different subscription.
MS Learn Azure -You do not have permissions to create resource groups under subscription Concierge Subscription when i tried to create resource group.
Concierge Subscription is type of MS Sandbox subscription.
Operations you can do in a specific sandbox are restricted, depending on the content of the module you activated Sandbox for. In most cases you already have some resource group created, so you don't have to create a new one.
To summarize - "You don't have permissions to create resource groups" in this specific subscription.
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
I need that on all objects that are created in a "resource group", an "AD group" has contributor permissions
I dont want to give contributor access to the Resource Group.
Is this possible? How can I do it?
If I am reading this right. What you need to happen when you create a resource within a resource group is that a preset Contributor group is added to that resource automatically correct? If this is the case then, you can achieve this by adding the preset Contributor group to your Subscription. Then any resource group that derives from that Subscription will inherit the preset Contributor group.
I have a Resource Group (RG) in Azure. I am the subscription admin and in the RG my role is Owner. I also have two other users assigned to this RG, and their roles are also Owners.
I can create any resources in the RG with no issues. The other 2 users cannot. For example, when they tried to add SQL Server resource, they we told that "The subscription doesn't have permissions to register the resource provider(s): Microsoft.Sql".
Question: is it possible to grant those non-subscription admin users permission to create resources in the RG or this is something only subscription admin can do?
Yes, you can do that, 2 ways, grant permission to register resource providers or register all resource providers upfront.
To register resource providers use powershell or cli. powershell sample:
Get-AzureRmResourceProvider -ListAvailable | Where-Object { $_.RegistrationState -eq 'NotRegistered'} | Register-AzureRmResourceProvider
Or use the portal. Go to subscriptions, pick subscription in question, pick resource providers and register needed resource providers.
Reference:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview
Explanation:
https://blogs.msdn.microsoft.com/azure4fun/2016/10/20/common-problem-when-using-azure-resource-groups-rbac/
Yes. You can. In the Subscriptions Tab on the left of your portal screen, select your subscription and go to IAM (Identity and Access Management). Select the role that you wish to give to the users in this case "SQL Server Contributor" and add the users. Contributor role will give them the right to create/delete resources but not the right to give access to the same resource to other users. Check this link for more details.
You can register the required resources provides in the same Subscriptions Tab, in the Resource Providers section.